I get a lot of questions about how to best organize the ISA Firewall's firewall policy for performance and accuracy. While there is no specific "hard coded" way to do this without having a deep understanding of how the ISA Firewall processes firewall rules, Network Rules, Web Chaining Rules, and Web caching rules, you can still do a lot of to optimize your firewall rule set by using the following simple guidelines:
- Global deny rules. Rules that deny specific access to all users. These rules should use the rule elements that require simple networking information. An example of such a rule would be a rule that denies all users access from anywhere to anywhere on protocols used for peer-to-peer file sharing.
- Global allow rules. Rules that allow specific access to all users. These rules should use the rule elements that require simple networking information. An example of this would be a rule allowing access on the DNS protocol from the Internal network to the External network.
- Rules for specific computers. Rules that allow or deny access for specific computers, for example, a rule allowing UNIX computers access to the Internet.
- Rules for specific users, URLs, and MIME types, and also publishing rules. Rules that contain rule elements that require additional networking information, and that enforce policy for specific users, or for specific URLs or Multipurpose Internet Mail Extensions (MIME) types. Publishing rules should also occur at this point in the rule order.
- Other allow rules. Rules that handle traffic that does not match rules that occur previously in the list of rules, assuming the traffic is allowed by your corporate policy. For example, a rule allowing all traffic from the Internal network to the Internet.
Server publishing and Web publishing rules can be placed anywhere in the rule order after global allow or deny rules. In the Enterprise Edition, publishing rules can only be created on the array level.
For Enterprise Edition, placing rules higher in the rule order means placing them in the pre-array enterprise rules, if possible. The next place in the order would be in the array rules, and the lowest position would be in the post-array enterprise rules.
For more information about optimizing ISA firewall policy, check out: